From 86aa3e41afb1b47b59ddfbd52b84b977bb1bb2f8 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Tue, 7 Dec 2010 17:01:04 +0100
Subject: Add overflow check to SAFEALIGN_COPY_*_CHECK macros

---
 src/util/util.h | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/util/util.h b/src/util/util.h
index ee2293472..61fe7f6c2 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -215,17 +215,20 @@ safealign_memcpy(void *dest, const void *src, size_t n, size_t *counter)
     SAFEALIGN_SET_VALUE(dest, value, uint16_t, pctr)
 
 #define SAFEALIGN_COPY_UINT32_CHECK(dest, src, len, pctr) do { \
-    if ((*(pctr) + sizeof(uint32_t)) > (len)) return EINVAL; \
+    if ((*(pctr) + sizeof(uint32_t)) > (len) || \
+        SIZE_T_OVERFLOW(*(pctr), sizeof(uint32_t))) return EINVAL; \
     safealign_memcpy(dest, src, sizeof(uint32_t), pctr); \
 } while(0)
 
 #define SAFEALIGN_COPY_INT32_CHECK(dest, src, len, pctr) do { \
-    if ((*(pctr) + sizeof(int32_t)) > (len)) return EINVAL; \
+    if ((*(pctr) + sizeof(int32_t)) > (len) || \
+        SIZE_T_OVERFLOW(*(pctr), sizeof(int32_t))) return EINVAL; \
     safealign_memcpy(dest, src, sizeof(int32_t), pctr); \
 } while(0)
 
 #define SAFEALIGN_COPY_UINT16_CHECK(dest, src, len, pctr) do { \
-    if ((*(pctr) + sizeof(uint16_t)) > (len)) return EINVAL; \
+    if ((*(pctr) + sizeof(uint16_t)) > (len) || \
+        SIZE_T_OVERFLOW(*(pctr), sizeof(uint16_t))) return EINVAL; \
     safealign_memcpy(dest, src, sizeof(uint16_t), pctr); \
 } while(0)
 
-- 
cgit